As travel restarts and we all look toward resuming in-person events, I find myself also looking at how our lives have changed over the past two years. Shops that we used to frequent have closed, while other businesses have expanded and taken their place. And although offices have begun re-opening, the expectations around remote work have also changed. For many of us, our time will now be split between working from home and going into an office. As such, our methods of working and interaction have changed to place more reliance on cloud and online solutions.
When I look across all of these facets, a common thread arises: the organizations that were successful were the ones who were able to recognize the need to focus on enablement and user experience first: who recognized the challenges and friction created by a primarily online world, and implemented solutions to solve them. We are all familiar with Zoom, but also consider services such as Instacart, or your local restaurant’s online platform. Across all of these applications the first experience any of us have with them is identity. When identity management is done well, it is a seamless experience that helps us create tailored environments that allow us to achieve our goals quickly – whether that be purchasing take out for our families or collaborating on the annual report. And when identity management is done poorly, it drives our customers away to the competition, or encourages shadow IT and use of unapproved cloud services.
Let’s be honest – as GRC and Security practitioners, we have not done a great job in helping our organization balance the security versus usability needs of identity. In the past, we leaned heavily on password complexity to secure identities – requiring upper case, lower case, symbols, and numbers. Preventing the use of real words. Prohibiting repeating characters. Requiring changes every 30 days. These controls improved security on paper, but in practice, drove employees to bad password hygiene such as re-using or writing passwords down, increasing real-world risk, and creating the opportunity for Credential Stuffing attacks, where lists of compromised usernames and passwords are tried using automated tooling to compromise accounts. According to The Ponemon Institute’s Cost of Credential Stuffing, businesses lose an average of $6 million USD per year to these types of attacks (source: https://auth0.com/blog/what-is-credential-stuffing/). And with the recent push to deploy multi-factor authentication to mitigate this loss, I fear we are at the brink of making the same mistakes. We know that SMS or voice-based authentications are easily defeated through phishing or sim-swapping attacks, and yet they are among most commonly-deployed MFA methods (source: https://www.okta.com/sites/default/files/2022-02/Businesses-at-Work-2022-Annual-Report_0.pdf). Again, on paper we are making our companies more secure, but in practice, maybe not as much.
Then there is the aspect of friction. When we implement more strenuous authentication methods, we risk alienating our users – whether they are customers or employees. By introducing too much friction into the login process, we risk customers abandoning shopping carts and purchasing from competitors who provide a better experience. We likely have all experienced this when online shopping – you’ve found what you’re looking for, but the checkout process is so onerous, you just abandon the purchase. The same impact can happen with your employees – they aren’t rewarded on making the company secure, they are rewarded on efficient completion of their roles. And when security creates roadblocks to that goal, it encourages the use of unsanctioned applications.
It’s not all doom and gloom, however. Centralizing identity is the first step in solving each of these challenges. When customers have a centralized identity across multiple web properties, it encourages that lateral use – if I don’t have to sign in again, I’m more likely to use the parallel service. And as an employee, centralized identity encourages me to stay within the company’s approved applications, as they are all available, ready for use, saving me time and effort.
There are tremendous security benefits as well – security teams have the visibility to monitor access across systems, so if a user logs into email from the Americas, but Salesforce from Europe, we can quickly react to the likely threat. Centralized identity management acts as a jumping off point for tighter integrations and simplifies audit governance. If all scoped applications are automatically assigned and controlled based on employee role, we can have confidence that data access is appropriate, reducing multiple tests to one. Access to sensitive data can be restricted until a user completes appropriate training, and toxic pairs that create the risk of fraud can be automatically detected and prevented.
There’s no denying that the COVID pandemic has greatly accelerated the digital changes in our lives, and permanently changed the way we live and work online and off. As we return to situations that feel more “normal”, the successful organizations will be the ones that offer the best user experience, and can pivot quickly to providing access in seamless and secure ways through strong identity management.